Search on vCenter UI very slowly intermittently
search cancel

Search on vCenter UI very slowly intermittently

book

Article ID: 422305

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Domain users search on vCenter UI very slowly intermittently, which is spinning in a loop with the "Searching...".

The Browser is latest version.
This happens only on using domain accounts logged in to vCenter, issue doesn't happen using [email protected].

/var/log/vmware/sso/vmware-identity-sts.log

YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001] [com.vmware.identity.sts.ws.handlers.SOAPHeadersExtractor] Found 1 {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security headers
YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001] [com.vmware.identity.sts.ws.handlers.XMLSignatureValidator] Found signature _######-####-####-#####
YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001] [com.vmware.identity.sts.ws.SignatureValidator] Got signing certificate
YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001] [com.vmware.identity.sts.ws.handlers.XMLSignatureValidator] Signature _######-####-####-##### is valid
YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001] [com.vmware.identity.token.impl.SamlTokenImpl] SAML token for SubjectNameId [value=<domain-users>@<domain name>, format=http://schemas.xmlsoap.org/claims/UPN] successfully parsed from Element
YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001 [com.vmware.identity.sts.impl.STSImpl] Entering issue() token...

<--- 30 secs later --->

YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####002] [com.vmware.identity.idm.server.provider.PooledLdapConnectionFactory] New connection created in pool PooledLdapConnectionIdentity [tenantName=vsphere.local, username=null, authType=USE_KERBEROS, useGCPort=false, connectionString=ldap://<AD server fqdn>]
YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001] [com.vmware.identity.saml.impl.AuthnOnlyTokenValidator] Token _######-####-####-##### for principal {Name: <domain-users>, Domain: <domain name>} successfully validated.
YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001] [com.vmware.identity.saml.impl.AuthnOnlyTokenValidator] Token _######-####-####-##### validated with SubjectValidation Regular.
YYYY-MM-DDTHH:MM:SS INFO sts[65:tomcat-http--27] [CorId=######-####-####-#####001] [com.vmware.identity.saml.impl.TokenLifetimeRemediator] There is a HoK confirmation certificate with end time: 2027-11-04T11:11:16.000+0000

Running checkADConfig.sh:

[Query: /opt/likewise/bin/lw-get-dc-list <Domain-name> --kdc-required]

Got ## DCs:
===========
...
DC ##: Name = '<AD server fqdn>', Address = '192.168.0.1'
[Query: nc -zv -w 5 192.168.0.1 389]

192.168.0.1 389 (ldap): Connection timed out

real    0m5.008s
user    0m0.003s
sys    0m0.000s

[Query: nc -zv -w 5 192.168.255.1 3268]

<AD server fqdn> [192.168.255.1] 3268 (msft-gc) open

real    0m0.004s
user    0m0.004s
sys    0m0.000s


Confirmed that 192.168.0.1 is HP ILOM IP of AD server.

Environment

vCenter Server with Active Directory identity source.

Cause

There are more than one IP address configured for the AD server on user's DNS Server, however one IP address is not responding and times out after 30 seconds, then it tries another IP address 192.168.255.1 which succeeds.

Resolution

To remove the problematic IP address 192.168.0.1 of AD server from DNS server.

Additional Information

Or to add the problematic AD server to be the blacklist following https://knowledge.broadcom.com/external/article?articleNumber=374665

Powered by Wolken Software